2 definining what is a threat, vulnerability versus an impact

People assess risk regarding their information assets, home PC, BlackBerry or going skiing or hiking this weekend by structuring the issue. For comprehensive risk managemen, however, one has to address threats, vulnerabilities and impact on operations (or one’s PC) to arrive at a comprehensive risk assessment (see Table below and Figure). This is discussed here in more detail.

Individuals try to structure the problem by considering the likelihood of the threat, the vulnerability one might be exposed to and the impact it might all have it the case occurs where one breaks a leg, looses a file or hard disk.

Depending upon that information, a decision will be made resulting in an action, such as patching the vulnerable software by downloading and installing the latest version of the software where the vulnerability has been eliminated.

Management and/or the risk officer have to decide if a particular scenario/case warrants action.Decision about either to live with risk or fix the problem is critical to protect information assets and stay compliant.